Routed DMZ & NAT from LAN
jrapp last edited by
Although new to pfSense I'm fairly experienced wrt. networking in general, so forgive me for being slightly long winded…
# The setup:
I have two internet conenctions:
WAN - with a static IP
ADSL - with a static IP and a routed /27 subnet (opt1)
And two internal networks (the pfSense box is at the highest IP on each):
DMZ - Using the /27 provided by the ADSL connection (opt2)
LAN - Using RFC1918 space - various subnets routed internally
I've previously used a "failover" SoHo router, however the WAN line has recently been upgraded well beyond the ADSL speed. As a result of this and other failings of the SoHo device I'm looking to deploy a pfSense box as the router and firewall between these four networks.
I think the box should:
- route DMZ traffic in and out over the ADSL (never over the WAN)
- NAT the LAN traffic to either the DMZ or WAN
Later I will look at:
- Firewalling the DMZ
- Outbound load balancing for LAN traffic
I've therefore installed pfSense on a box with four NICs, and configured each NIC appropriately. The ADSL connection is still being handled by the SoHo router at the moment, so that NIC is currently down (and configured for DHCP).
# The problem:
I can use the pfSense box as a default gateway and it NATs me correctly to the internet, however it does not NAT me to the DMZ - it simply routes traffic (so the DMZ boxes see traffic from RFC1918 addresses).
I therefore added the last Outbound NAT rule to the Firewall - so there are now three rules:
WAN 192.168.1.0/24 * * * * * NO Auto created rule for LAN
ADSL 192.168.1.0/24 * * * * * NO Auto created rule for LAN
DMZ 192.168.1.0/24 * * * * * NO DMZ mapping
I was then expecting to see connections from the top IP in the DMZ to the DMZ boxes - but I see traffic from the WAN IP instead.
I suspected that the traffic was using both of our net connections, this was confirmed as when I ran a packet capture on the DMZ interface - no packets were seen.
I presume I'm missing something on the NAT setup, but can't see what it would be. Any ideas/pointers would be appreciated.
jonnytabpni last edited by
Hi john, I'm fairly experienced in networking as well however you probably hav more knowledge however I'll give my 2 pence :)
the outbount NAT rules are used from the top down. Have you tried placing tHe NAT rule at the top? Also
make sure the destination is set to the DMZ sub net
also, would you not expect to see requests coming from your WAN IP? like when you surf the net, external servers will see your WAN IP…
You probably can so some fancy footwork to get the DMZ servers to see the DMZ if interface but I imagine it required adding rules manually